Organizational Controls
Tenable Security Center and the CIS CAS helps set the foundation for the organization's journey through the Implementation Groups. The organization controls are part of IG2 and IG3, and help provide next steps and wider focus to overall risk management. At this stage the organization needs to be able to take inventory of the risk mitigation progress, and begin the planning for the next iteration of the risk mitigation efforts. CIS controls 17 - 20 provide the organization with steps which complete the IG1 journey and prepare for them for IG2 and IG3.
The four Organization controls are:
-
CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
The CIS groups these final 4 controls into the Organization Controls, and states:
“All of these topics are a critical, foundational part of any cyber defense program, but they are different in character than CIS Controls 1-16. While they have many technical elements, these are less focused on technical controls and more focused on people and processes. They are pervasive in that they must be considered across the entire enterprise, and across all of CIS Controls 1-16. Their measurements and metrics of success are driven more by observations about process steps and outcomes, and less by technical data gathering. They are also complex topics in their own right, each with an existing body of literature and guidance.
Therefore we present CIS Controls 17-20 as follows: for each CIS Control, we identify a small number of elements that we believe are critical to an effective program in each area. We then describe processes and resources which can be used to develop a more comprehensive enterprise treatment of each topic. Although there are many excellent commercial resources available, we provide open and non-profit sources where possible. The ideas, requirements, and processes expressed in the references are well supported by the commercial marketplace.”
Tenable Security Center provides valuable information to aid in these final 4 steps, each of which will be discussed individually. However, for the IG1journey there are no measurable steps to be taken. The final section in this guide will provide suggestions on how the data previously collected can be used to aid in closing of the IG1 journey and preparation for IG2.